Category Archive: 'security'

I’ve been reading a lot today about the Equifax compromise, where, you, the person whose data Equifax collected, were caught with your pants down because — although you buckled the belt as you should — the manufacturer forgot to secure the buckle to belt. When you bent over to pick up that hot dog that landed on the floor — whoops, your privates, and those of 143 Million other Equifax individuals about which Equifax had data (about 44%) were put out there for all the world to see, to point at, and to laugh.

Don’t you feel embarrassed? Don’t you feel like you should lock yourself up in a dark room and hide forever?

¹: [Update: They later clarified this wasn’t the case, although initial language made it appear to be the case. Translation: Sloppy response to the situation; poor contingency planning.]
²: [Update: They since removed the requirement for a credit card; it was there when this article was written]

Of course, there are security folks proposing other solutions. Some suggest the easy solution of just giving everyone new, more secure, social security numbers. Alternatively, we could start using our RealID Drivers License, and have one national identity number.

More sane folks are recommending a two pronged approach that doesn’t requiring using Equifax’s protection: the most common approach is suggesting a fraud alert on your records, and paying to have a freeze to prevent new accounts. All good ideas.

As for me, I’m going to wait and see. With 143 Million pieces of data, their odds of picking me are, well, 1 in 143 million. That’s pretty small. Plus the information has been out there for months — and with information like this, you have to use it quickly or it loses its value. Have we seen an uptick in identity theft? I haven’t heard of anything. I strongly suspect that this was a nation state, just like the OPM breach, and only select data will be used, for sophisticated spear phishing attacks. After all, why do they need to do the fraud when they can get you to unlock the door? Further, this isn’t the only attack: you’ve likely already had your information released (see this site).

Oh, and before you get scared about using the Internet, think about this: You don’t have to be an Internet user to have your information in the Equifax data. You just have to have had credit as some point in your life. The fault was with Equifax, the company you trusted to protect your data. Oh, that’s right. You didn’t choose Equifax. The fault was with Equifax, the company other companies trusted to give them accurate credit data. Equifax didn’t care about you or your credit. And neither did that little minx, Wendy*.

It is not in Equifax’s business model to protect your data: well, they’ll protect it only until they can sell it to the highest bidder. Remember the adage: If you get the service for free, you’re not the customer, you’re the product. [Translation: Equifax and other credit reporters make money by selling your data. Until their customers — the financial organizations that buy their data — demand accurate information, nothing will change. They won’t demand as long as it doesn’t cost them. They don’t pay the cost of the identity theft — you do.]

Feel better now? If not, wait I bit. I’ll be posting something this evening that will make you feel much better, even if your pants are down.

*[Paraphrasing my favorite Alton Brown quote, long since removed from his website:]

Here’s what it comes down to kids. Equifax doesn’t give a damn about you. Neither does that little minx Rachel from Card Services or any of the other icons of finance. And you know what, they’re not supposed to. They’re businesses doing what businesses do. They don’t love you. They are not going to laugh with you on your birthdays, or hold you when you’re sick and sad. They won’t be with you when you graduate, when your children are born or when you die. You will be with you and your family and friends will be with you. And, if you’re any kind of human being, you will be there for them. And you know what, you and your family and friends are supposed to watch out for you too. That’s right folks, protecting someone else’s information is an act of caring. We will always be protected best by those that care, be it ourselves or the aforementioned friends and family.

We are having our information exposed and exploited and exploited again because we have handed a basic, fundamental and intimate function of life over to corporations. We choose to value our information so little that we entrust it to strangers. We hand our lives over to big companies and then drag them to court when the deal goes bad. This is insanity.

Complex passwords are still critical, but the answer is not an unpronouncable mix of letters and characters — because you can’t remember that. You can get equal or stronger passwords by choosing random words from the dictionary (passphrases) because although the “string” is shorter, the alphabet is larger. Math is math.

Frequent changing of passwords defeats the strength not because frequent changing is bad, but because human nature is. If you change things frequently, you’ll go to patterns that make things easier to remember — and to break.

In reality, the best solution is still a high-quality Password Manager, with a strong master password. In the password manager, you can create strong passwords for all your sites — unique for each site — and not have to remember them. This is something recommend (and not using my Facebook authentication for everything, which is not only weak but gives FB far too much information). I’ve recommended Lastpass for a long time for this purpose. It can keep track not only of passwords, but all that information you fill into forms — such as credit card info — so that you are storing it in your encrypted password vault, not on another machine where you depend on their encryption.

Recently, Lastpass changed their charging model: they upped the price (without notice) of Lastpass Premium from $12 to $24 a year. Everyone was up in arms! Heaven forfend! Doubling the price! (Never mind the fact that we’re talking $1 a month, which is noise, but hey, it’s the percentage!). It’s a concern for me: we have three Lastpass Premium accounts. However, I plan to move to the Family pricing model (which is worth it for 2 or more family members); hopefully, Lastpass will provide a way to consolidate existing Premium accounts into a single Family account with prorata balances applying towards the fee.

This is a companion lunchtime post to my previous one. Whereas that post focused on government-related areas, this posts shares some cybersecurity items of broader interest:

Two Factor Authentication. The Verge has an interesting opinion piece on why two-factor authentication has failed us. We have a mix of approaches, some still depending on SMS even though there are significant weaknesses there. As they say: “Nearly all major web services now provide some form of two-factor authentication, but they vary greatly in how well they protect accounts. Dedicated hackers have little problem bypassing through the weaker implementations, either by intercepting codes or exploiting account-recovery systems. We talk about two-factor like aspirin — a uniform, all-purpose fix that’s straightforward to apply — but the reality is far more complex. The general framework still offers meaningful protection, but it’s time to be honest about its limits. In 2017, just having two-factor is no longer enough.”

Backup Software. One of the best solutions for security — and a key protection against ransomware — is having backups. But Windows backup software is often hit or miss. Here’s a good review of various packages from PC World. I’ve been using an older version of their top-rated software for a few years now: I’m on Acronis True Image 2015. It backs up to the cloud without a subscription. Their newer stuff seems to have some different models, and I haven’t decided (a) if I want to upgrade, and (b) if I want to go with their subscription approach. I’ll also note that I’ve used the Paragon backup (an older version). What I didn’t like was that it grabbed every partition on the system, and did really bad space management such that your backups would fill a drive.

Family Passwords. This week, Lastpass announced a new service: A family password manager. As they write: “Enter LastPass Families, where you can store everything from bank accounts to passports to credit cards. Your details are secure, organized the way you want, and easily shared with your spouse, kids, in-laws, and more. You can even give access to others in the event of an emergency. The family manager can quickly add and remove members to the account, making it easy to get everyone up and running.” I still need to figure out if this service (or how this service) is an improvement over multiple Lastpass accounts. They also indicate that there is a fee for the service beyond Lastpass Premium, but if I have multiple family members with LP Premium, can things somehow be combined into one account that takes into account what has been paid. Perhaps they’ll answer this post.

Over the past few weeks, I’ve collected a number of articles related to, shall we say, work-related topics. Here is where I share them with you, while enjoying my lunch:

Headline: “Air Force operationalizes new cybersecurity plans“. This is a real interesting article detailing some of the changes being made in the Air Force to improve their cybersecurity stance. For those with an interest in cybersecurity and resilience, it is a move in the right direction.

Headline: “There may soon be a new US military service — for space“. There’s one problem with the US Air Force. There’s no air in space. This article is about a potential separation between the Air Force side and the “Space Force”, with a notion that the Space Force would be like the Marines: part of, but yet separate from, the Air Force. It will be interesting to see how this pans out.

Headline: “Malware protection for air-gapped systems“. One of the ways we supposedly protect system is through air gaps — that is, no actual network connections. Yet as we saw with Stuxnet, such gaps don’t always work. This explores the way one vendor is addressing protection for such systems.

Headline: “U.S. to create the independent U.S. Cyber Command, split off from NSA“. The Department of Defense has many broad commands, most representing geographic areas (think Atlantic Command, Pacific Command, etc.) or broad functional areas (Strategic Command). One recent command created was Cyber Command, but it was part of and colocated with NSA. This article, as well as this one, discuss the potential separation of the two. This would permit Cyber Command to focus on cyber-related defense activities (and possibly offense), and NSA to focus on its intelligence role. What they don’t discussion is the disposition of the unclassified side of NSA — what was once the National Computer Security Center, and now would include things like the Common Criteria folk. My guess is that the separation is easier in theory than practice.

This has been a busy busy week, and I haven’t had a chance to work on clearing out the news chum until now. This first collection is all computer related:

Going Phishing. Hopefully, you’re all cyber-aware. You know not to trust links in email you receive. You’ve been trained to look at where a URL goes before you click on it. You know not to click on links in email; you’ll copy the link and paste it into your browser bar. You know not to trust sites that aren’t the well-known version. But https://аррӏе.com is safe, right? Right? RIGHT? Actually, no. It may look like it reads “apple”, but that’s actually a bunch of Cyrillic characters: A (а), Er (р), Er (р), Palochka (ӏ), Ie (е). The security certificate is real enough, but all it confirms is that you have a secure connection to аррӏе.com – which tells you nothing about whether you’re connected to a legitimate site or not. This is what is called a homograph attack. It is something that can fool the best people, even if you hover over and check the link before browsing — unless you’re using IE or Edge or Safari. Ars Technica has even more information, but the short and skinny is: If you use Chrome, make sure you’re at Chrome 58 or later; if you use Firefox, enter “about:config” in the address bar, agree to the displayed warning, and then enter “punycode” in the search box to bring up a line that reads network.IDN_show_punycode. Next, double-click the word “false” to change it to “true.” From then on, Firefox will display the “dumb ascii” characters and not the deceptive, encoded ones. I’ve done that, and now I see xn--80ak6aa92e.com when I hover over the link.

Secure Coding. I grew up programming in Fortran, PL/I, Algol 68, RSTS/E Basic, and C. Except for perhaps Fortran and C, the rest are mostly dead. Today, kids program in C++ and Java — but they aren’t necessarily writing better programs. But following good standards can help. Here’s a link to a discussion on how to do secure coding in C++.

iPod without iTunes. If you are like me (and fewer are), you use your iPod for all your music (and you plan on adding more this Record Store Day). But do you backup your iPod? I do — via iTunes to my M: drive, and I back that up on my X: and W: drives and on a backup iPod. But most don’t — and most abhor iTunes. Here’s how to backup your iPod without using iTunes. I’ll not that I’ve used copytrans in the past (especially before I just kept everything in iTunes), and I’d recommend it.

Never Too Late. As I’m typing this, iTunes is playing “Never Too Late” (to tell the Truth) from Scottsboro Boys. If you’re like me, and like to tell the truth, you’ll be happy to know that Snopes is now embeddable. Here’s an example of an embedded article:

Continuing to clear the news chum, here are a bunch of articles all related to cybersecurity:

NIST Cybersecurity Framework is Changing. NIST is getting ready to release an update to their Cybersecurity Framework (and other updates are planned: eventually, the IPD of 800-53rev5 will be out for review, and then an update to 800-37). A key change in the new framework is measurement: The first, which should really be the starting point for any comprehensive cyber risk management program, is an entirely new section about measuring the performance and maturity of organizations’ cyber risk programs. It also discusses the need and complexity of correlating those metrics to business objectives and outcomes. That means measuring both how organizations are reducing risk to the business and identifying the benefits to the business resulting from good cybersecurity, such as how many new customers the organization has gained and/or how much more revenue was brought in. Another significant change in the framework is the addition of recommendations surrounding supply-chain risk management. Finally, the access-control category has changed within the framework. It was renamed to identity management and access control. The change adds more focus on making sure identities and credentials are managed from the time they are created to the time they are deactivated.

Minimal Cybersecurity Requirements. Although some of us have known about this for a while, the world is growing increasingly aware of NIST SP 800-171. The new mandates take effect Dec. 31 this year and apply to contractors for the Department of Defense, National Aeronautics and Space Administration (NASA) and the General Services Administration. While some manufacturers are accustomed to working with federal agencies on classified projects, these regulations are meant to safeguard sensitive information in unclassified material, particularly as the threat of cybersecurity breaches grows. Basically, they apply to any federal contractor that handles what is called Controlled Unclassified Information.

Printer Cartridges. Lastly, an interesting court case that could dictate how much you pay for ink. This week, oral arguments were heard in the case of Impression Products, Inc. v. Lexmark International, Inc., and according to the well-regarded SCOTUSblog, it seems that the justices are having a tough time figuring out how to view this difficult legal tangle themselves. At its most basic, the case is a dispute over Lexmark’s patent rights regarding refilling printer cartridges. Impression Products is a small business with about 25 employees. It specializes in buying used printer cartridges and re-manufacturing them. In 2012, Lexmark decided to add Impression to an already existing lawsuit against other re-manufacturers. While the other defendants eventually settled, Impressin has stuck it out and the case has made it to the highest court in the land. The question is: Does the manufacturer give up rights to something when you physically purchase it? Can Lexmark dictate what you can do with your printer cartridge? Can HP dictate you can’t open your computer and modify it? Big key questions.

Well, I like to think I fought the good fight. I mean, I’m an old fart. Old habits die hard, and for the longest time I just kept using the term I was used to, even though it was politically incorrect. After all, I held on to other ideas that I believed were morally superior, only to watch them get discredited by the new-think, by people that didn’t know what was right was right, and what was wrong was wrong.

Eventually, though, I caved. I started using the updated politically correct term. People no longer looked at me funny, they no longer made fun of the way that I talk. As for my discredited ideas, well, I kept them to myself, lest I be made fun of. After all, in today’s world, you have to use the right terms and speak the right way and think the right things.

Right?

But then, of course, a new term came in for what I previously knew. I resisted, because resistance is good. After all, the new term was, to put it bluntly, stupid. It was idiotic. It didn’t refer to what they said it referred. But I forgot my Star Trek. Resistance is futile.

I grew up in an era when it was “Computer Security” and COMPUSEC, when we believed we could write multi-level secure systems that provided high assurance. What did we get for our efforts? perl, and a High Assurance Brake Job.

Then it became “Information Assurance” and “Information Security“. A1 systems? Sorry, but A1 was reserved for steak. Multi-level systems? They were for special uses; no one would write a general purpose MLS operating system. Formal Methods? Never in your wildest dreams — that’s Gypsy talk. Ina know about you, but I need some Jo.

But now? We have Cybersecurity and Cyber and Trustworthiness. We’ve lost the war. Here’s what HelpNet has to say:

We have lost the cyber war. No, not that cyber war. Maybe war of words is a better way to put it. Whether we like it or not, cyber has become the default way for everyone else to talk about what we do.

[…]

It’s tempting to take the moral high ground and refuse to engage with cyber. Instead, we could choose to refer only to information security because we believe it accurately reflects both physical documents as well as digital assets, while giving importance to each one.

It’s fair to say that some of the industry’s suspicion about cyber comes from the fact that it’s broad enough to cover the charlatans in the industry who think there’s a buck to be made by scaring people into stocking up on silver bullets instead of informing them in a responsible way about how security can help them to do business better.

[…]

But if you open a dictionary, you’ll find cybersecurity is the only term of its kind. One survey ranked information security as the least popular term among the general public, even lower than e-security.